Still Wrong Use of Pairings in Cryptography

Several pairing-based cryptographic protocols are recently proposed with a wide variety of new novel applications including the ones in emerging technologies like cloud computing, internet of things (IoT), e-health systems and wearable technologies. There have been however a wide range of incorrect use of these primitives. The paper of Galbraith, Paterson, and Smart (2006) pointed out most of the issues related to the incorrect use of pairing-based cryptography. However, we noticed that some recently proposed applications still do not use these primitives correctly. This leads to unrealizable, insecure or too inefficient designs of pairing-based protocols. We observed that one reason is not being aware of the recent advancements on solving the discrete logarithm problems in some groups. The main purpose of this article is to give an understandable, informative, and the most up-to-date criteria for the correct use of pairing-based cryptography. We thereby deliberately avoid most of the technical details and rather give special emphasis on the importance of the correct use of bilinear maps by realizing secure cryptographic protocols. We list a collection of some recent papers having wrong security assumptions or realizability/efficiency issues. Finally, we give a compact and an up-to-date recipe of the correct use of pairings.Comment: 25 page

Adequate Elliptic Curve for Computing the Product of n Pairings

Many pairing-based protocols require the computation of the product and/or of a quotient of n pairings where n > 1 is a natural integer. Zhang et al.[1] recently showed that the Kachisa-Schafer and Scott family of elliptic curves with embedding degree 16 denoted KSS16 at the 192-bit security level is suitable for such protocols comparatively to the Baretto- Lynn and Scott family of elliptic curves of embedding degree 12 (BLS12). In this work, we provide important corrections and improvements to their work based on the computation of the optimal Ate pairing. We focus on the computation of the nal exponentiation which represent an important part of the overall computation of this pairing. Our results improve by 864 multiplications in Fp the computations of Zhang et al.[1]. We prove that for computing the product or the quotient of 2 pairings, BLS12 curves are the best solution. In other cases, specially when n > 2 as mentioned in [1], KSS16 curves are recommended for computing product of n pairings. Furthermore, we prove that the curve presented by Zhang et al.[1] is not resistant against small subgroup attacks. We provide an example of KSS16 curve protected against such attacks

Optimal Ate Pairing on Elliptic Curves with Embedding Degree 9,159,15 and 2727

Much attention has been given to the efficient computation of pairings on elliptic curves with even embedding degree since the advent of pairing-based cryptography. The few existing works in the case of odd embedding degrees require some improvements. This paper considers the computation of optimal ate pairings on elliptic curves of embedding degrees $k=9$, $15$, $27$ which have twists of order three. Our main goal is to provide a detailed arithmetic and cost estimation of operations in the tower extensions field of the corresponding extension fields. A good selection of parameters enables us to improve the theoretical cost for the Miller step and the final exponentiation using the lattice-based method as compared to the previous few works that exist in these cases. In particular, for $k=15$, $k=27$, we obtain an improvement, in terms of operations in the base field, of up to 25% and 29% respectively in the computation of the final exponentiation. We also find that elliptic curves with embedding degree $k=15$ present faster results than BN12 curves at the 128-bit security level. We provide a MAGMA implementation in each case to ensure the correctness of the formulas used in this work.Comment: 25 page

Computing Optimal Ate Pairings on Elliptic Curves with Embedding Degree 9,159,15 and 2727

Much attention has been given to efficient computation of pairings on elliptic curves with even embedding degree since the advent of pairing-based cryptography. The existing few works in the case of odd embedding degrees require some improvements. This paper considers the computation of optimal ate pairings on elliptic curves of embedding degrees k=9, 15 \mbox{ and } 27 which have twists of order three. Mainly, we provide a detailed arithmetic and cost estimation of operations in the tower extensions field of the corresponding extension fields. A good selection of parameters enables us to improve the theoretical cost for the Miller step and the final exponentiation using the lattice-based method comparatively to the previous few works that exist in these cases. In particular for $k=15$ and $k=27$ we obtained an improvement, in terms of operations in the base field, of up to $25\%$ and $29\%$ respectively in the computation of the final exponentiation. Also, we obtained that elliptic curves with embedding degree $k=15$ present faster results than BN$12$ curves at the $128$-bit security levels. We provided a MAGMA implementation in each case to ensure the correctness of the formulas used in this work

Still Wrong Use of Pairings in Cryptography

The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI link.Several pairing-based cryptographic protocols are recently proposed with a wide variety of new novel applications including the ones in emerging technologies like cloud computing, internet of things (IoT), e-health systems and wearable technologies. There have been however a wide range of incorrect use of these primitives. The paper of Galbraith, Paterson, and Smart (2006) pointed out most of the issues related to the incorrect use of pairing-based cryptography. However, we noticed that some recently proposed applications still do not use these primitives correctly. This leads to unrealizable, insecure or too ine cient designs of pairing-based protocols. We observed that one reason is not being aware of the recent advancements on solving the discrete logarithm problems in some groups. The main purpose of this article is to give an understandable, informative, and the most up-to-date criteria for the correct use of pairing-based cryptography. We thereby deliberately avoid most of the technical details and rather give special emphasis on the importance of the correct use of bilinear maps by realizing secure cryptographic protocols. We list a collection of some recent papers having wrong security assumptions or realizability/e ciency issues. Finally, we give a compact and an up-to-date recipe of the correct use of pairings

Pairing-Based Cryptography - Pairing 2012 : 5th International Conference, Cologne, Germany, May 16-18, 2012, Revised Selected Papers

This book constitutes the refereed proceedings of the 5th International Conference on Pairing-Based Cryptography, Pairing 2012, held in Cologne, Germany, in May 2012. The 17 full papers for presentation at the academic track and 3 full papers for presentation at the industrical track were carefully reviewed and selected from 49 submissions. These papers are presented together with 6 invited talks. The contributions are organized in topical sections on: algorithms for pairing computation, security models for encryption, functional encryption, implementations in hardware and software, industry track, properties of pairings, and signature schemes and applictions

Secure Authentication and Privacy-Preserving Techniques in Vehicular Ad-hoc NETworks (VANETs)

In the last decade, there has been growing interest in Vehicular Ad Hoc NETworks (VANETs). Today car manufacturers have already started to equip vehicles with sophisticated sensors that can provide many assistive features such as front collision avoidance, automatic lane tracking, partial autonomous driving, suggestive lane changing, and so on. Such technological advancements are enabling the adoption of VANETs not only to provide safer and more comfortable driving experience but also provide many other useful services to the driver as well as passengers of a vehicle. However, privacy, authentication and secure message dissemination are some of the main issues that need to be thoroughly addressed and solved for the widespread adoption/deployment of VANETs. Given the importance of these issues, researchers have spent a lot of effort in these areas over the last decade. We present an overview of the following issues that arise in VANETs: privacy, authentication, and secure message dissemination. Then we present a comprehensive review of various solutions proposed in the last 10 years which address these issues. Our survey sheds light on some open issues that need to be addressed in the future

Group Signatures with Message-Dependent Opening: Formal Definitions and Constructions

This paper introduces a new capability for group signatures called message-dependent opening. It is intended to weaken the high trust placed on the opener; i.e., no anonymity against the opener is provided by an ordinary group signature scheme. In a group signature scheme with message-dependent opening (GS-MDO), in addition to the opener, we set up an admitter that is not able to extract any user’s identity but admits the opener to open signatures by specifying messages where signatures on the specified messages will be opened by the opener. The opener cannot extract the signer’s identity from any signature whose corresponding message is not specified by the admitter. This paper presents formal definitions of GS-MDO and proposes a generic construction of it from identity-based encryption and adaptive non-interactive zero-knowledge proofs. Moreover, we propose two specific constructions, one in the standard model and one in the random oracle model. Our scheme in the standard model is an instantiation of our generic construction but the message-dependent opening property is bounded. In contrast, our scheme in the random oracle model is not a direct instantiation of our generic construction but is optimized to increase efficiency and achieves the unbounded message-dependent opening property. Furthermore, we also demonstrate that GS-MDO implies identity-based encryption, thus implying that identity-based encryption is essential for designing GS-MDO schemes

Efficient Implementations of Pairing-Based Cryptography on Embedded Systems

Many cryptographic applications use bilinear pairing such as identity based signature, instance identity-based key agreement, searchable public-key encryption, short signature scheme, certificate less encryption and blind signature. Elliptic curves over finite field are the most secure and efficient way to implement bilinear pairings for the these applications. Pairing based cryptosystems are being implemented on different platforms such as low-power and mobile devices. Recently, hardware capabilities of embedded devices have been emerging which can support efficient and faster implementations of pairings on hand-held devices. In this thesis, the main focus is optimization of Optimal Ate-pairing using special class of ordinary curves, Barreto-Naehring (BN), for different security levels on low-resource devices with ARM processors. Latest ARM architectures are using SIMD instructions based NEON engine and are helpful to optimize basic algorithms. Pairing implementations are being done using tower field which use field multiplication as the most important computation. This work presents NEON implementation of two multipliers (Karatsuba and Schoolbook) and compare the performance of these multipliers with different multipliers present in the literature for different field sizes. This work reports the fastest implementation timing of pairing for BN254, BN446 and BN638 curves for ARMv7 architecture which have security levels as 128-, 164-, and 192-bit, respectively. This work also presents comparison of code performance for ARMv8 architectures

Pairing-Based Cryptography - Pairing 2012 : 5th International Conference, Cologne, Germany, May 16-18, 2012, Revised Selected Papers

This book constitutes the refereed proceedings of the 5th International Conference on Pairing-Based Cryptography, Pairing 2012, held in Cologne, Germany, in May 2012. The 17 full papers for presentation at the academic track and 3 full papers for presentation at the industrical track were carefully reviewed and selected from 49 submissions. These papers are presented together with 6 invited talks. The contributions are organized in topical sections on: algorithms for pairing computation, security models for encryption, functional encryption, implementations in hardware and software, industry track, properties of pairings, and signature schemes and applictions